Danko Greiner said:
Thanx Willy, this was very helpful.
But i also need (and want to know) how to do this from code.
Can you plase give me right topic in MSDN? is there good example?
Thanx
p.s. this is copy/paste from previous thread, don't ask why...
There are a number of alternatives, in order of my personal preference:
1. Wait for Whidbey if you can.
2. Use System.Management namespace classes and WMI, as the semantics closely
resemble what's been done in 1.
3. Use System.Directory namespace classes, as an alternative for 2 only when
running on XP or higher, this involves some COM interop to access the ADSI
security classes.
4. Use PInvoke to call the functions from the Win32 security API set.
Note that whatever method you choose you should be aware that managing
security permissions is hard and there are a lot of things you should be
aware of at the Win32 API level. Following is a sample of 2, just to give
you an idea how it looks like.
using System;
using System.Management;
using System.Collections;
// AccessPrivileges mask (Check MSDN )
[Flags]
enum AccessPrivileges : uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes= 0x00000100,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,
GenericAll = 0x10000000,
GenericExecute= 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[Flags]
enum AceFlags : uint
{
NonInheritAce = 0,
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}
[Flags]
enum AceType : uint
{
AccessAllowed = 0,
AccessDenied = 1,
Audit = 2
}
public class FileObjectSecurity
{
// ManagementPath path;
ManagementObject lfs;
ManagementBaseObject Descriptor; // Security descriptor for this object
ManagementBaseObject[] dacl;
public FileObjectSecurity(string FileSystemObject)
{
ManagementPath path = new ManagementPath();
path.Server = "."; // server name (. for local machine)
path.NamespacePath = @"root\cimv2";
path.RelativePath = @"Win32_LogicalFileSecuritySetting.Path=" + "'" +
FileSystemObject + "'";
lfs = new ManagementObject(path);
// Get the security descriptor for this object
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if
success
{
Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
dacl = ((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));
}
}
public void DumpDaclToConsole()
{
foreach(ManagementBaseObject mbo in this.dacl){
Console.WriteLine("-------------------------------------------------");
Console.WriteLine("{0:X} - {1} - {2}", mbo["AccessMask"],
Enum.Format(typeof(AceFlags), mbo["AceFlags"], "g") , mbo["AceType"]);
// Access allowed/denied ACE
if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied)
Console.WriteLine("DENIED ACE TYPE");
else
Console.WriteLine("ALLOWED ACE TYPE");
// Dump trustees
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n",
Trustee.Properties["Name"].Value,
Trustee.Properties["Domain"].Value,
Trustee.Properties["SIDString"].Value);
// Dump ACE mask in readable form
UInt32 mask = (UInt32)mbo["AccessMask"];
Console.WriteLine(System.Enum.Format(typeof(AccessPrivileges), mask,
"g"));
}
}
// Add an ACE to the DACL
public bool AddEntryToDacl(string TrusteeName, Enum AccessPrivileges)
{
bool ret = false;
Array newDACL;
// Copy the non-inherited aces
ArrayList aceList = new ArrayList();
foreach(ManagementBaseObject entry in this.dacl)
aceList.Add(entry);
// Creates and initializes a one-dimensional Array of type
ManagementBaseObject
// with space for one extra direct ACE.
newDACL=Array.CreateInstance( typeof(ManagementBaseObject), aceList.Count
+ 1);
// Copy AL to Array
aceList.CopyTo(newDACL);
ManagementBaseObject trustee = null;
ManagementBaseObject ace = null;
// Initialize new Trustee (here a local account as sample)
try {
trustee = new ManagementClass( @"Win32_Trustee" );
// trustee.Properties["Domain"].Value = ""; // if domain other then local
machine
trustee.Properties["Name"].Value = TrusteeName;
}
// catch if non existing trustee
catch (Exception e)
{
Console.WriteLine(e.Message);
return ret;
}
try {
ace = new ManagementClass( @"Win32_ACE" );
ace.Properties["AccessMask"].Value = AccessPrivileges;
ace.Properties["AceFlags"].Value = AceFlags.NoPropagateInheritAce;
ace.Properties["AceType"].Value = AceType.AccessAllowed;
ace.Properties["Trustee"].Value = trustee;
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return ret;
}
newDACL.SetValue(ace, newDACL.Length - 1);
// Re-write Security Descriptor
if(WriteSecurityDescriptor((ManagementBaseObject[])newDACL) == 0)
ret = true;
return ret;
}
private int WriteSecurityDescriptor(ManagementBaseObject[] Dacl)
{
ManagementBaseObject inParams =
lfs.GetMethodParameters("SetSecurityDescriptor");
Descriptor.Properties["Dacl"].Value = Dacl;
inParams["Descriptor"] = Descriptor;
ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);
return Convert.ToInt32(ret.Properties["ReturnValue"].Value);
}
}
class Tester {
public static void Main()
{
// Create FileObjectSecurity passing the file object (filepath) to the
ctor.
// Watch the double backslashes !!!!
FileObjectSecurity fos = new FileObjectSecurity(@"c:\\someFoledr");
fos.DumpDaclToConsole();
fos.AddEntryToDacl("Everyone", AccessPrivileges.FileWriteData);
}
}
Willy.
